Exam HPE6-A73 topic 1 question 25 discussion

E is wrong Inbound VACL will apply to all ports that are receiving the VLAN traffic. Client 1 may be able to reach client 3 but the traffic will not return since it will be dropped by the VACL. B is correct because the traffic never crosses the core so the VACL is not used. D is correct because the server is inbound to VLAN 10 so VACL is not used and return traffic is permitted by VACL. C is wrong because the return traffic will cross the ACL and is not permitted for client 2. This picture is in my book and traffic flow is explained.

BD is correct

BD is correct

The only valid solution is B and E because traffic within vlan 20 is not affected from the VACL. Traffic from server 1 will be blocked because of a wrong IP source.

BE is correct

CLIENT1 - CLIENT2 - pass - Forwarded by Access2, no need to go trough CORE1 SERVER1- CLIENT1 - pass - Server 1 inbound VLAN10 on CORE1 return traffic from CLIENT1 in VLAN 20 match the ACL and is permitted.

CL3 - CL2 - drop on forward path by core1 cause match VLAN 20 and CL3 not CL1 as SRC IP CL1 - CL2 - pass - no ACL cause forwarded by Access2 SR2 - CL2 - pass on forward path by core1 cause match VLAN 10 Drop on return path by core1 cause match VLAN 20 and no CL1 as SRC IP SR1 - CL1 - pass on forward path by core1 cause match VLAN 10 pass on return path by core1 cause match VLAN 20 and CL1 as SRC IP CL1 - CL3 - pass on forward path by core1 cause match VLAN 20 and CL1 as SRC IP drop on return path by core1 cause match VLAN 20 and not CL1 but CL3 as SRC IP

E is correct because that traffic never passes through core, so never hits the VACL.

Only correct answer I can see is B. Can somebody explain how options D or E can operate in both directions through that VACL?

BE correct . Servers in another vlan and must go thru core from another interface and our rule will no mutch these traffic. a has a n implicit deny

what you seem to be forgetting here is the VACL will only apply on core 1 for traffic that is coming into the switch and into VLAN 20, so any device outside VLAN 20 will not have the source IP of the client. Hence B and E are correct.

B & E is correct. ACL permits traffic only from 10.101.20.21/32 IP address that is Client1. The question asks for a connection "in both directions". So only devices in the same VLAN can communicate in both directions, as they are not affected by a VACL.

The correct answer is B&D

The correct Answer is B&D

I think correct answer is B&D. Because inbound VACL filter all traffic arrives on a VLAN whether switched or routed.

So D&E are the only possible connections. Client1 to Client2 will work but not affected by the ACL

and the telnet traffic must flow through the core switch